summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorultramage <ultramage@54d463be-8e91-2dee-dedb-b68131a5f0ec>2009-04-23 15:09:17 +0000
committerultramage <ultramage@54d463be-8e91-2dee-dedb-b68131a5f0ec>2009-04-23 15:09:17 +0000
commita7e38ac4436d545ad3dd1c9ed35ed5c1300af1c1 (patch)
treec4becea4d70a8d41b6e46db26ff019ccfff8b378 /src
parentd84ca1c320b8a4942ddc5d5cc53a20568cc8bd10 (diff)
downloadhercules-a7e38ac4436d545ad3dd1c9ed35ed5c1300af1c1.tar.gz
hercules-a7e38ac4436d545ad3dd1c9ed35ed5c1300af1c1.tar.bz2
hercules-a7e38ac4436d545ad3dd1c9ed35ed5c1300af1c1.tar.xz
hercules-a7e38ac4436d545ad3dd1c9ed35ed5c1300af1c1.zip
Added length check to functions clif_parse_CreateChatRoom and clif_parse_ChatRoomStatusChange (bugreport:2999).
This prevents a signed/unsigned integer overflow when calling the safestrncpy function. Also added a note regarding a potential out-of-bounds access issue in these functions. git-svn-id: https://rathena.svn.sourceforge.net/svnroot/rathena/trunk@13690 54d463be-8e91-2dee-dedb-b68131a5f0ec
Diffstat (limited to 'src')
-rw-r--r--src/map/clif.c16
-rw-r--r--src/map/mob.c1
2 files changed, 11 insertions, 6 deletions
diff --git a/src/map/clif.c b/src/map/clif.c
index bc2392504..3baba439e 100644
--- a/src/map/clif.c
+++ b/src/map/clif.c
@@ -9095,8 +9095,8 @@ void clif_parse_CreateChatRoom(int fd, struct map_session_data* sd)
bool pub = (RFIFOB(fd,6) != 0);
const char* password = (char*)RFIFOP(fd,7); //not zero-terminated
const char* title = (char*)RFIFOP(fd,15); // not zero-terminated
- char s_title[CHATROOM_TITLE_SIZE];
char s_password[CHATROOM_PASS_SIZE];
+ char s_title[CHATROOM_TITLE_SIZE];
if (sd->sc.data[SC_NOCHAT] && sd->sc.data[SC_NOCHAT]->val1&MANNER_NOROOM)
return;
@@ -9105,8 +9105,11 @@ void clif_parse_CreateChatRoom(int fd, struct map_session_data* sd)
return;
}
- safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE));
+ if( len <= 0 )
+ return; // invalid input
+
safestrncpy(s_password, password, CHATROOM_PASS_SIZE);
+ safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); //NOTE: assumes that safestrncpy will not access the len+1'th byte
chat_createpcchat(sd, s_title, s_password, limit, pub);
}
@@ -9134,11 +9137,14 @@ void clif_parse_ChatRoomStatusChange(int fd, struct map_session_data* sd)
bool pub = (RFIFOB(fd,6) != 0);
const char* password = (char*)RFIFOP(fd,7); // not zero-terminated
const char* title = (char*)RFIFOP(fd,15); // not zero-terminated
-
- char s_title[CHATROOM_TITLE_SIZE];
char s_password[CHATROOM_PASS_SIZE];
- safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE));
+ char s_title[CHATROOM_TITLE_SIZE];
+
+ if( len <= 0 )
+ return; // invalid input
+
safestrncpy(s_password, password, CHATROOM_PASS_SIZE);
+ safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); //NOTE: assumes that safestrncpy will not access the len+1'th byte
chat_changechatstatus(sd, s_title, s_password, limit, pub);
}
diff --git a/src/map/mob.c b/src/map/mob.c
index a249d2724..4577ce0bd 100644
--- a/src/map/mob.c
+++ b/src/map/mob.c
@@ -47,7 +47,6 @@
// Move probability for mobs away from players (rate of 1000 minute)
// in Aegis, this is 100% for mobs that have been activated by players and none otherwise.
#define MOB_LAZYMOVEPERC(md) (md->state.spotted?1000:0)
-#define MOB_LAZYWARPPERC 20 // Warp probability in the negligent mode MOB (rate of 1000 minute)
#define MOB_MAX_DELAY (24*3600*1000)
#define MAX_MINCHASE 30 //Max minimum chase value to use for mobs.
#define RUDE_ATTACKED_COUNT 2 //After how many rude-attacks should the skill be used?